You have a tricky scenario on your hands; I can understand your pain about a notified body's issuance of a nonconformity regarding a certification that you don't yet hold. On the other hand, the notified body must confirm that you are fully compliant before issuing the certification. There's a chicken-and-egg dynamic there. In the end, you may be fighting a losing battle if you choose to argue. Indeed, the notified body's governing standard generally demands writing up a Nonconformity for nonconformance at the pre-certification audit even though the auditee isn't yet certified. Consequently, it is typical that Nonconformities will be issued at the pre-certification stage if the auditee hasn't yet demonstrated full conformity.
Don't overlook the fact that EU MDR Article 10(9) third paragraph indent (a) (strategy for regulatory compliance) and (m) (processes for monitoring and measurement) would generally be the EU MDR elements that demand inclusion of the EU MDR in the scope of the internal audit program. Moreover, a recognized state-of-the-art standard for auditing of quality management systems (ISO 19011 as amended), as well as ISO 13485 (if applied), require applicable regulatory requirements to be included in the internal audit program and schedule. That said, there is certainly no EU MDR legislative requirement demanding EU MDR internal auditing each year.
But getting back to the heart of your frustration, I can say that if you haven't yet performed an internal audit against the EU MDR
formally using your internal audit process (rather than just having a mock audit), then the basis on which a notified body could justify a nonconformity is this: It could be argued that it's impossible to objectively show compliance with the aforesaid Article 10(9) provisions
without such an internal audit. Indeed, the proper integration and execution of internal auditing against the EU MDR are exercises that raise different questions than does the exercise of having a mock audit.
Ultimately, isn't it an easy fix to just do an EU MDR internal audit? Perhaps you already have folks in your organization that can do them. Or, there are plenty of experts here in the Forum that do them regularly for our clients. This can be accomplished via a relatively short internal audit. That's food for thought, as it could be easier than enduring the notified body's dispute-resolution process, which would generally be more costly and time consuming in the end in case you aren't able to argue the notified body out of its current stance...
------------------------------
Kevin Randall, ASQ CQA, RAC (Europe, U.S., Canada)
Principal Consultant
Ridgway, CO
United States
© Copyright 2022 by ComplianceAcuity, Inc. All rights reserved.
------------------------------
Original Message:
Sent: 29-Mar-2022 20:57
From: Anonymous Member
Subject: Internal Audit (EU MDR)
This message was posted by a user wishing to remain anonymous
We are currently undergoing a EU MDR audit. The reviewer wrote a major nonconformance because we did not include EU MDR in our internal audit schedule on last year (2021). We had a mock EU MDR audit late 2020 through an external company. We then established a project team to address the nonconformances in 2021. In 2022, we added EU MDR to our internal audit schedule in hopes to show this during our EU MDR audit. The auditor is stating that we are not able to demonstrate compliance to EU MDR because we didn't include it in our internal audit schedule in 2021 and did not audit to EU MDR last year. We did however include MDD as this is the certification we currently hold. Does any one have any insight into this? I totally disagree with needing to perform internal audits to a regulation in which you don't hold a certification, but I wanted to get your insight.